Book Chapter

Introduction to COBIT for SOX compliance

Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools
By Christian Lahti, Roderick Peterson, Steve Lanza
Syngress
356 Pages; $49.95

In this excerpt from Chapter 2 of Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools, authors Christian Lahti, Roderick Peterson, Steve Lanza, introduce COBIT and the standard's six components.


Sarbanes-Oxley compliance will significantly impact the IT organization of most public companies. However, there is one enormous problem: there is no specific mention of IT in Section 404, and more importantly, there are no specifics as to what controls have to be established within an IT organization to comply with Sarbanes-Oxley legislation.

If there is no specific mention in Section 404 as to what IT needs to do to comply with Sarbanes-Oxley, the logical question would be,"How can I comply with something without knowing what I need to do to comply?" Although there are various standards a company can use for defining and documenting its internal controls -- ITIL (IT Infrastructure Library), Six Sigma, and COBIT -- the majority of auditors have adopted COBIT.

ITIL is an international series of documents used to aid the implementation of a framework for IT Service Management.The intent of the framework is to define how Service Management is applied within specific organizations. Given that the framework consists of guidelines, it is agnostic of any application or platform and can therefore be applied in any organization.

MORE INFORMATION

Read Chapter 2, SOX and COBIT defined

Learn more about SOX compliance with our Learning Guide

Visit our resource center for more information on COBIT

In many organizations, Six Sigma simply means a measure of quality that strives for near perfection. Six Sigma is a disciplined, data-driven approach and methodology for eliminating defects (driving toward six standard deviations between the mean and the nearest specification limit) in any process—from manufacturing to transactional and from product to service.

COBIT stands for Control Objectives for Information and Related Technology. While the COBIT guidelines have been around since 1996, the guidelines and best practices have almost become the de facto standard for auditors and SOX compliance, mostly because the COBIT standards are platform independent.There are approximately 300 generic COBIT objectives, grouped under six COBIT Components. When reviewing and applying the COBIT guidelines and best practices, keep in mind that they will need to be tailored to your particular environment.

The six COBIT components

COBIT consists of six components:

  • Executive Summary Explains the key concepts and principles.
  • Framework Foundation for approach and COBIT elements. Organizes the process model into four domains:
    -- Plan and organize
    -- Acquire and implement
    -- Deliver and support
    -- Monitor and evaluate
  • Control Objective Foundation for approach and COBIT elements. Organizes the process model into the four domains (discussed in a moment).
  • Control Practices Identifies best practices and describes requirements for specific controls.
  • Management Guidelines Links business and IT objectives and provides tools to improve IT performance.
  •  Audit Guidelines Provides guidance on how to evaluate controls, assess compliance and document risk with these characteristics:


-- Define "internal controls" over financial reporting
-- Internally test and assess these controls
-- Support external audits of controls
-- Document compliance efforts
-- Report any significant deficiencies or material weaknesses

In conclusion, although an IT organization is free to select any predefined standards, or even one they develop to assist them in obtaining Sarbanes-Oxley compliance, the mostly widely accepted standard is COBIT. Subsequently, you may find that selecting COBIT will be the path of least resistance to Sarbanes-Oxley compliance.

Read the rest of Chapter 2, SOX and COBIT defined


This was first published in December 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: